With the targeted focus on integrating security into operational readiness
stances in some enterprises these days, I was curious if there was guidance
out there on the security metrics that some consulting firms and internal
security teams are working to establish.

Given the choice of list, obviously my focus at present is
Microsoft-stack-centric enterprise environments here.

I was also thinking about reporting from two tier perspectives: the CIO and
the Security functional leadership team that owns the necessary
engineering/administration disciplines which implement, monitor, and respond
to security events and practices.